Hi,
On Fri, Dec 30, 2022 at 05:25:41PM +0100, Tobias Frost wrote:
> On Fri, Dec 30, 2022 at 04:14:25PM +0100, Salvatore Bonaccorso wrote:
> > Hi Steinar, hi Tobias,
> >
> > On Fri, Dec 30, 2022 at 12:04:29PM +0100, Tobias Frost wrote:
> > > On Fri, Dec 30, 2022 at 11:18:14AM +0100, Steinar H. Gunderson wrote:
> > > > On Fri, Dec 30, 2022 at 11:04:46AM +0100, Tobias Frost wrote:
> > > > > I was trying to triage this CVE and *maybe* those revisions are
> > > > > related:
> > > > >
> > > > > r1894937 ("apreq_parse_headers: Discard CRLF of folded values.")
> > > > > r1894940 ("reindent (no functional change).")
> > > > > r1894977 ("Follow up to r1894937: Fix setting of empty value.")
> > > > > r1895054 ("Follow up to r1894937: Always eat CRLF at the end of
> > > > > header value.")
> > > >
> > > > Perhaps it's best to remove libapreq2 entirely? I don't use nor
> > > > maintain it
> > > > anymore, it's been out of testing for a while, and there's this CVE.
> > >
> > > #ssh mirror.ftp-master.debian.org "dak rm -Rn libapreq2"
> > >
> > > Will remove the following packages from unstable:
> > >
> > > libapache2-mod-apreq2 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> > > mips64el, mipsel, ppc64el, s390x
> > > libapache2-request-perl | 2.13-7+b4 | amd64, arm64, armel, armhf,
> > > i386, mips64el, mipsel, ppc64el, s390x
> > > libapreq2 | 2.13-7 | source
> > > libapreq2-3 | 2.13-7+b4 | amd64, arm64, armel, armhf, i386, mips64el,
> > > mipsel, ppc64el, s390x
> > > libapreq2-dev | 2.13-7+b4 | amd64, arm64, armel, armhf, i386,
> > > mips64el, mipsel, ppc64el, s390x
> > > libapreq2-doc | 2.13-7 | all
> > >
> > > Maintainer: Steinar H. Gunderson <se...@debian.org>
> > >
> > > ------------------- Reason -------------------
> > >
> > > ----------------------------------------------
> > >
> > > Checking reverse dependencies...
> > > # Broken Depends:
> > > libapache2-authcassimple-perl: libapache2-authcassimple-perl
> > > libapache2-sitecontrol-perl: libapache2-sitecontrol-perl
> > > lua-apr: lua-apr
> > > rapache: libapache2-mod-r-base
> > >
> > > # Broken Build-Depends:
> > > libapache2-sitecontrol-perl: libapache2-request-perl
> > > lua-apr: libapreq2-dev
> > > rapache: libapreq2-dev
> > >
> > > Dependency problem found.
> > >
> > > ... and still theres a need to fix the CVE for stable (and also for
> > > (E)LTS)
> > >
> > > (I'm currently take a look at 2.17, to see if I can get it packages, if
> > > I'm succeeding,
> > > there will be an NMU announcement :))
> >
> > Upstream has still not clarified on
> > https://www.openwall.com/lists/oss-security/2022/08/26/4 and given it
> > was now out of bookworm, it might be wise that we actually sunset it
> > for bookworm (including having the above reverse dependencies out of
> > bookworm).
> >
> > Fixing stable and oldstable is then another story, and I still hope we
> > get feedback from upstream on pinpointing the fixes.
>
> ACK, I will file a "not suitable for bookworm" bug, so that the new package
> and r-depends won't migrate.
Thank you Tobi!
> Lets hope that upstream answers…
Regards,
Salvatore
